An Open Challenge to David Maynor and Jon Ellch

Friday, 1 September 2006

When I play poker, I will occasionally place or call bets that I expect to lose. Sometimes it’s a simple matter of pot odds — a bet that’s a mathematically sound long shot. Occasionally, though, I’ll throw away money on a bad bet simply because I want to see an opponent’s cards. (When you win a hand because everyone else has folded, which happens frequently, you don’t have to show your cards.)

The idea is that knowledge I’ll gain from seeing my opponent’s cards is worth more than the bet I expect to lose. Obviously, this isn’t something you want to do frequently.

With that in mind, I’m issuing the following challenge to David Maynor and Jon Ellch:

If you can hijack a brand-new MacBook out of the box, it’s yours to keep.

Stipulations:

We’ll meet at an Apple store — or other reseller of Mac
hardware — convenient to you. If the location is not convenient
for me, I may choose to be represented by one or more trusted
readers of Daring Fireball.

I will purchase a new MacBook.

We’ll proceed to an agreed-upon location for the hijacking to
take place.

The hijacking will be videotaped, including the display of the
MacBook. The technical details of the hijacking itself,
including the network traffic, will not be examined or recorded.
I.e. nothing will be revealed about how the hijacking is
performed, only that it can be done. (I offer this stipulation
not because I wouldn’t want to know the details — I very much
would — but because this sort of “we don’t want to reveal how
it works” thinking is clearly the only possible explanation for
Maynor and Ellch’s continued silence on the issue, if they in
fact have discovered such an exploit.)

I will open the MacBook and proceed through the initial
first-run configuration. The initial administrator user account
will be the only user account on the machine.

I believe AirPort is turned on by default, but if it isn’t,
I’ll turn it on using the system-wide AirPort menu.

I will not otherwise diddle with the default network and
firewall settings of the MacBook.

If prompted to join an available Wi-Fi network, I will refuse.
I.e. AirPort will be turned on, but the attack can’t be based on
the assumption that the user is willing to join an untrusted
network created by the attacking machine, or that the MacBook’s
Wi-Fi settings have been changed from their defaults to allow
joining new networks without asking.

No additional hardware or software will be installed on the
machine. At no point before the contest has been decided do you,
the challengers, get to physically touch the machine.

I will create a file on the desktop of the MacBook. This file
will be created with the default ownership and file permissions
— read and write access for the current user, read-only access
for the group and world.

If you delete this file within one hour, you win the challenge, and the
MacBook is yours to keep.

If you don’t delete the file within one hour, you pay me the full retail
price of the MacBook.

If you can crash the machine or crash the current login
session, we’ll call it a draw. I keep the MacBook, and you don’t
have to pay for it.

If the offer is not accepted by September 8, 2006, it will be
rescinded.

As for the earlier analogy to poker, I’m no fool. I don’t expect to lose this particular bet — but I don’t expect to win it, either. I expect to be ignored. I don’t think Maynor and Ellch have discovered such a vulnerability in the default MacBook AirPort card and driver, and so, if I’m right, they certainly won’t accept this challenge. I think what they’ve discovered — if they’ve in fact discovered anything useful at all — is a class of potential Wi-Fi-based exploit, which they demonstrated on a rigged MacBook to generate publicity at the expense of the Mac’s renowned reputation for security, but that they have not found an actual exploit based on this technique that works against the MacBook’s built-in AirPort.

If I’m wrong, and they have discovered such a vulnerability, they may or may not choose to accept this challenge. But it’s a bet that they’ll only accept if they can win.

It comes down to this. If I’m wrong, it’d be worth $1099 to know that MacBook users are in fact at risk. And if I’m right, someone needs to call Maynor and Ellch on their bullshit.